Dailydave mailing list archives
Annoyances
From: Dave Aitel <dave () immunityinc com>
Date: Mon, 15 Sep 2008 08:30:38 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You know what would be annoying? If every fifteen seconds a random VM was suspended just long enough to get a memory snapshot and then that snapshot was analyzed for CANVAS-style shellcode in every process. It's not hard to do now that the API's are all opening up. Even a simple "This thread is running from the heap and is not Java" would work. At that point the shellcode will have to jump into unused space in a DLL and then we all get to play statistical matching games to say "This function does not look like Visual Studio compiled it, unlike the rest of the DLL". Anyways, there's a lot of cool stuff you can do from the hypervisor. Probably the stuff VMWare and Microsoft and Xen don't want to talk about involved breaking DRM, writing invisible email-sniffing programs that hook Exchange's new email function, or other fun stuff. Just being able to get a clean copy of memory is cool, since you don't get one with a little daemon installed on the server (since memory changes as you copy it). - -dave -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFIzlVutehAhL0gheoRAi2uAJ4hdQFi5cH/35vh5zgZNhs9ARvmkgCdE8rI 6ZDejFziVmOQQpThAI4LUBI= =WdZI -----END PGP SIGNATURE----- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Annoyances Dave Aitel (Sep 15)